Vulnerability Disclosure Policy
We welcome responsible disclosure from security researchers.
Scope
In scope:
- thrive.fi and app.thrive.fi (web application)
- Authenticated API routes under /api/* (excluding third-party webhooks you do not control)
- Public marketing and checkout flows
Out of scope:
- Social engineering, physical access, or attacks on third-party infrastructure providers directly
- Denial-of-service against production without prior written approval
- Issues in third-party exchange or market-data APIs
- Missing security headers with no demonstrated exploit
Rules of engagement
- Do not access, modify, or delete data that is not yours
- Do not perform testing that degrades service for other users
- Give us reasonable time to remediate before public disclosure (90 days standard)
- Report in English with steps to reproduce, impact assessment, and proof-of-concept if available
Safe harbor
If you comply with this policy and act in good faith, we will not pursue legal action for authorized research. We do not currently operate a paid bug bounty program; recognition and coordinated disclosure are offered at our discretion.
Report
Email security@thrive.fi with subject "Security vulnerability report". We aim to acknowledge within 3 business days and provide a status update within 10 business days.